Security researchers at Elastic Security Labs have uncovered a sophisticated Linux malware dubbed PUMAKIT, which employs advanced stealth techniques and unique privilege escalation methods to maintain persistence on infected systems.
PUMAKIT’s multi-stage architecture consists of a dropper, two memory-resident executables, a loadable kernel module (LKM) rootkit, and a shared object userland rootkit.
This complex structure allows the malware to execute its payload only when specific criteria are met, ensuring stealth and reducing the likelihood of detection.
During routine threat hunting on VirusTotal, researchers from Elastic Security Labs encountered a suspicious binary named cron.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
This binary was first uploaded on September 4, 2024, and notably registered 0 detections across multiple antivirus engines at that time. This lack of detection raised immediate suspicions regarding the binary’s potential stealthiness and malicious intent.
PUMAKIT Infection Chain
Upon further investigation, the team discovered another related artifact, identified as /memfd:wpn (deleted), which was also uploaded on the same day and similarly showed no detections.
The presence of these two binaries, both evading detection, pointed towards a more sophisticated malware operation.
The initial stage involves a dropper named “cron” that creates two memory-resident executables: “/memfd:tgt” and “/memfd:wpn“.
While “/memfd:tgt” serves as a benign Cron binary, “/memfd:wpn” acts as a rootkit loader, evaluating system conditions and ultimately deploying the LKM rootkit.
One of PUMAKIT’s most notable features is its use of the rmdir() syscall for privilege escalation, a departure from the more common kill() syscall method used by most rootkits.
This unconventional approach allows the malware to obtain root privileges within its current process, making it more difficult to detect and mitigate.
The LKM rootkit, referred to as “PUMA” by its developers, employs an internal Linux function tracer (ftrace) to hook 18 different syscalls and several kernel functions.
This enables the malware to manipulate core system behaviors, including hiding files and directories, concealing its presence from system tools, and implementing anti-debugging measures.
PUMAKIT also includes a shared object file named “Kitsune,” which is responsible for certain behaviors observed in the rootkit and plays a role in achieving persistence and stealth mechanisms.
The malware’s sophisticated design extends to its command and control (C2) infrastructure, with researchers identifying multiple C2 servers used for communication.
To detect and prevent PUMAKIT infections, Elastic Security Labs has developed several EQL/KQL rules and a YARA signature.
These detection methods focus on various stages of the malware’s execution chain, including unusual file descriptor executions, suspicious command executions through the kthreadd process, and privilege escalation attempts using the rmdir command.
The discovery of PUMAKIT highlights the growing sophistication of malware targeting Linux systems.
Its multi-architectural design, advanced stealth techniques, and unique privilege escalation methods make it a significant threat to organizations using Linux environments.
As PUMAKIT continues to evolve, security professionals are advised to implement the provided detection rules and maintain vigilance against this stealthy and persistent threat.
Elastic Security Labs has committed to ongoing analysis and monitoring of PUMAKIT to keep defenders informed and prepared for potential new variants or updates to this sophisticated malware.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free